SLES 11 AUTH | as a LDAP client

Hi all,

I´m searching for a simple fully documentation of “connect a SLES 11 as a LDAP SSL client to a LDAP Server”

Could please help me find something suitable. We already have a LDAP Server I just want to connect my SLES so auth the users to LDAP.

I´m getting mad by trying to find any suitable.

Thanks a lot !

Hash: SHA1

Have you found this yet?

That, plus some other possibly-relevant articles, came up Googling for
the following:

sles 11 ldap client

Good luck.
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Hi tbrinkmann,

what LDAP server? Does it already contain a user base and if yes, how’s that organized? (If the server is already used to authenticate SLES or other Linux users, then this should be fairly easy. But YMMV, especially if it is some random LDAP server with some obscure layout for existing user/group data…)

How much experience do you have with LDAP? Ae you using SSL just because it can be done or because you have security policies to implement? In the latter case, the LDAP access might be worth discussing, too.

There’s the plain & simple way to do things, there’s the secure way to do it, and there are many "in-between"s.


thanks for you replays. The problem was an wrong ssl-cert. I needed to convert the cert from der to pem.

After this the LDAP auth runs well.

So we use an OES E-Dirctory and that is my first experience with LDAP. My Problem on this point now ist that every user from the E-Dir can successful auth on my test
server. Can you give a small hint where to configure policies that only users from an certain group can connect via LDAP.

Thanks a lot !

Hi *T,

that’s an easy one: In /etc/ldap.conf on the client (the server you want to limit access to) you can set “pam_groupdn” to the DN of the group that contains the list of permitted users (as fully qualified DNs), i.e.

pam_groupdn cn=servername,ou=hostaccess,ou=group,dc=company,dc=com

The actual member of that node to contain the list of users is defined in the same file, i.e.

pam_member_attribute memberIf OES stores the values at other locations, you need to adopt these statements.


PS: I advise to keep an open root ssh session to the server while doing these changes. If you limit server ssh access to non-root users and incorrectly set those ldap.conf parameters, there’s no way to get into the system rather than via console… which may or may not be available at that time :wink:

questions again :-/

Does I need to create the users locally ?
Does I need to configure the modules for yast ?

It looks like that if I configure the pam_groupdn the system does ignored it.

Greetings *T

Hi *T,

we’re running LDAP-based users with per-system, LDAP-based “access” groups. No need to create the users locally and no need to do anything for YaST (though, as I’m doing many things via config files rather than YaST, my understanding of “to configure the modules for yast” may be different from yours).

Once we’ve set up the pam_groupdn statement, access to the system was limited to those users who are members of the group.

Come to think about it, you have set up PAM for LDAP support? You wrote “After this the LDAP auth runs well.” somewhere above, so I assume that the proper PAM modules are in place. Is your entry defined as “sufficient” or as “required”? IIRC the “password” stage is the important one, but I’m not sure - could be “session” as well.


Hi Jens,
thanks for helping me to dig this out. We move a little bit forward now we face the problem that we can not see any EDirectory groups.

We can browse the LDAP users in EDirectory but the users details not show any groups for the users. Also if we browse the user groups in yast we also see no groups.

In the EDirectory we have a lot of groups…

Do you have any idea why we cannot see user.


Hi *T,

there may of course be many causes to that :(.

Basically it boils down to matching the eDirectory content with what Linux client services expect to find inside the LDAP tree. Of course, the Linux system has to be set up to look at the LDAP information, too, but I take it that this has been already configured.

Searching for some details (I’m no eDirectory expert) I came across the following article describing the integration of Linux accounts into an eDirectory: This is an article in German - maybe some online translation tool can provide sufficient services to at least grasp the basic steps described there if German isn’t your native language. Chapter “2.1.1” seems to be what you’re looking for.


thanks for you help ! We opened a novell support ticket.

Grüße aus Bochum. *T